You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

I recently downloaded Filezilla from Sourceforge, scanned it before installing and got a little surprise...the Vosteran browser hijack. I uninstalled it from my control panel (Windows 7) and did a virus scan and two malwarebyte scans and I thought I was clean. That was last week. Today as I opened a program, I got a msg stating that Vosteran had installed a TAB or something in Chrome and I opened Chrome and there she was! I use Firefox.

Is there an easy way to get rid of it?

I have used Filezilla before and didn't realize that sourceforge was bundling maleware.

BC AdBot (Login to Remove)

Download Security Check from here or here and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

Warning!Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.

Double click on downloaded file. OK self extracting prompt.

MBAR will start. Click "Next" to continue.

Click in the following screen "Update" to obtain the latest malware definitions.

Once the update is complete select "Next" and click "Scan".

When the scan is finished and no malware has been found select "Exit".

If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.

Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:

"mbar-log-{date} (xx-xx-xx).txt"

"system-log.txt"

NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.

Please download Rkill(courtesy of BleepingComputer.com) to your desktop.There are 2 different versions. If one of them won't run then download and try to run the other one.You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

If using Vista or Windows 7 right-click on it and chooseRun As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTEDo NOT wrap your logs in "quote" or "code" brackets.Do NOT use spoilers.Do NOT edit your reply to post additional logs. Create new reply. I'll not get any email notifications about edits so I won't know you posted something new.

Thank you for your very prompt reply. I am in a bit of a desperate mode and need to get some work done on my computer. Right as I started this process, as I hit a link to this page, it opened up in Chrome and the screen was filled with pop-up ads. I use Firefox and noticed earlier today that when I opened Chrome, I got the Vosteran search screen. Firefox seems fine.

I had a few issues when going through your instructions. For one, I ran MalwareBytes and did as you instructed but when I looked in history, checked the box of the most recent scan, I didn't see an export button. I'll attach a screenshot. The other issue was the MBam Root Kill wouldn't run, so I exited the program as you instructed.

When I started the first program (Security Check) it saved the log in a program I had installed, Notepad+ and it was storing the files in the program area so I deleted the program and then my log files were in Notepad.

FSS:

Farbar Service Scanner Version: 21-07-2014
Ran by Tooloose (administrator) on 27-11-2014 at 03:43:13
Running from "C:\Users\Tooloose\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
PS I don't see an ADD ATTACHMENT feature for the screenshot of MalwareBytes History Log without an EXPORT BUTTON.

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

Error: (11/27/2014 03:33:37 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (11/27/2014 03:11:41 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (11/26/2014 08:58:45 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

CodeIntegrity Errors:
===================================
Date: 2013-10-16 14:47:53.087
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2013-10-16 14:47:53.037
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2013-10-16 14:45:37.535
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2013-10-16 14:45:37.475
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2013-10-16 14:43:44.804
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2013-10-16 14:43:44.742
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

PS - I opened the Chrome browser and Vosteran still has a strangle hold on it. The search page opens with my start-up page (Yahoo.) I tried resetting the homepage and that Vosteran search page came up again. I'm not having any issues with Firefox.

Hello again. The Sophos scan took over three hours. Anyway, there was no report generated from TFC. It said there were no infections. Sophos also said there were no infections. I'm att;aching the other two logs.

HOWEVER - I decided to check Chrome and Vosteran search screen is still there, over my default homepage. Where is it hiding? Does the fact that the root-kit -kill program failed suggest the infection is hiding there? This is a nasty one.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: If you're running 64-bit system make sure you install BOTH, 32-bit and 64-bit Java.

Note 3: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

==============================================

Your computer is clean

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...This is a very crucial step so make sure you don't skip it.Download DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.Make sure the following items are checked:

Activate UAC (optional; some users prefer to keep it off)

Remove disinfection tools

Create registry backup

Purge System Restore

Reset system settings

Now click "Run" and wait patiently.Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly ((you need to redownload these tools since they were removed by DelFix))

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

Hi. I wonder if I screwed up your instructions. In order to keep all the infection tools organized, I stored them in a folder on my desktop. I ran the program Delfix and it was finished in just a minute, contrary to suggesting I be patient. I checked the folder and all the exe icons and txt logs are still there. I looked in installed programs and Sophos is still installed. I did see the program go through the process of cleaning my restore system points.

I am still working on this last step. I removed the programs manually and installed Secunia Personal Software Inspectorand it brought up some issues for me. Microsoft XML Core Services (MSXML) I read about it and it seems to be associated with other programs, probably the Netframe. I don't have any MS software on this computer (at least I didn't install any, other than Windows related.) I click on the link to update and it takes me to a screen with four different options. I have no idea which one to select. And then there's Adobe. I am not fond of software that instals itself on my computer without my permission. Adobe installed AiIR and I don't use the "cloud" at all, and have no intentions of ever dong so. I do have one Adobe product, Quicktime. I don't use Adobe reader but purchased Corel Fusion instead. Since these issues are not related to my cleaned infection, I hope you will move it to an appropriate forum.

As far as the infection, I am clean and you did a fantastic job of helping me to get rid of it. The funny thing is I try to be very careful and have installed Filezilla before but didn't realize that SourceForge moved into the malware business. I take note of your suggestion to always download via the custom option.

BTW, I downloaded Secunia and updated all my software except for one, Microsoft XML Core Services because it offered me four or five downloads and I didn't know which was appropriate for me (I'll post a msg in a Windows forum about that) but since cleaning my computer, I've had a series of shockwave crashes on YouTube. I wasn't having that problem before. If you have any suggestions, I'm all eyes (and fingers.) Thanks again.

I use Firefox. It was late at night the last time it happened. I will be more vigilant and make sure it was Shockwave and not Flash. If it happens again, I'll try Chrome (which I can now do, since you helped me clean it up.) I've been getting script errors in Yahoo mail and just had a 'technical glitch' msg box that told me to refresh my page while I was writing email.